Tcpdump is a network sniffer tool. It is most powerful and widely used command line tool for Linux/Unix. It sniff or capture the TCP/IP traffic that receive or transfer over a network.
tcpdump has an option to save captured packets in a file for future analysis. It can be save in a pcap format file, that can be viewed by tcpdump command or a open source GUI based tool called Wireshark (GUI Network Packet analyser tool) that reads tcpdump pcap format files.
1. Prequisite for using tcpdump
In Many Linux distributions tcpdump tool is already available, if in case you don’t have it in your Linux systems, you can install it using following Yum command in case of Red Hat / CentOS or from apt-get in case of Ubuntu:
a. tcpdump installation command in RHEL/CentOS.
$ sudo yum install tcpdump
b. tcpdump installation command in Ubuntu.
$ sudo apt-get install tcpdump
Below are the 12 useful commands you can use after tcpdump tool installation in your Linux systems.
2. To capture the TCP/IP traffic on specific interface
By default only executing tcpdump command will captures all packets from all the interfaces, the command screen will scroll up until you interrupt. But if you want to capture TCP/IP traffic from desire network interface you need to use switch -i and after it give the name of interface say eth0.
# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:49:29.145122 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 2373162789:2373162977, ack 3861614025, win 289, options [nop,nop,TS val 547360 ecr 814562], length 188
01:49:29.145365 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 188, win 3327, options [nop,nop,TS val 814570 ecr 547360], length 0
01:49:29.146183 IP centos7srv1.56609 > gateway.domain: 20772+ PTR? 1.122.168.192.in-addr.arpa. (44)
01:49:29.146586 IP gateway.domain > centos7srv1.56609: 20772 NXDomain 0/0/0 (44)
01:49:29.148842 IP centos7srv1.52561 > gateway.domain: 65309+ PTR? 223.122.168.192.in-addr.arpa. (46)
01:49:29.149215 IP gateway.domain > centos7srv1.52561: 65309* 1/0/0 PTR centos7srv1. (71)
^C6 packets captured
9 packets received by filter
0 packets dropped by kernel
3. Capture Only Specific Number of Packets
When you run tcpdump command it will capture all the packets for specified interface, until you Hit cancel button. But with -c option, you can capture specified number of packets. The below example will only capture 6 packets.
# tcpdump -c 7 -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:52:19.622175 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 2373167737:2373167925, ack 3861615557, win 289, options [nop,nop,TS val 717837 ecr 857183], length 188
01:52:19.622395 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 188, win 3327, options [nop,nop,TS val 857189 ecr 717837], length 0
01:52:19.623238 IP centos7srv1.33113 > gateway.domain: 49280+ PTR? 1.122.168.192.in-addr.arpa. (44)
01:52:19.623661 IP gateway.domain > centos7srv1.33113: 49280 NXDomain 0/0/0 (44)
01:52:19.626874 IP centos7srv1.42802 > gateway.domain: 57399+ PTR? 223.122.168.192.in-addr.arpa. (46)
01:52:19.627257 IP gateway.domain > centos7srv1.42802: 57399* 1/0/0 PTR centos7srv1. (71)
01:52:19.628080 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 188:912, ack 1, win 289, options [nop,nop,TS val 717843 ecr 857189], length 724
7 packets captured
8 packets received by filter
0 packets dropped by kernel
4. Print Captured Packets in ASCII
The tcpdump command with option -A displays the packets in ASCII format. Which is a character-encoding scheme format.
# tcpdump -A -i eth0
01:54:13.535890 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 2391132121:2391132309, ack 3861623013, win 289, options [nop,nop,TS val 831751 ecr 885661], length 188
E...4"@.@.....z...z..........+.....!w......
..........(.T.[*q1...d..E....K.4.........P8.5...~...b p.~.>.......
.DR.....]...{h..Z<.(..uG.\7......4...~..'{...^8}.9.h".y..F..:..K..9.U]..3.T..E....Pe.).3.|.8.....TA..i?.....tt..g.\..'..G)...v...
01:54:13.536116 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 188, win 6896, options [nop,nop,TS val 885668 ecr 831751], length 0
E..4c.@.@.`...z...z......+..........vX.....
........
01:54:13.537386 IP centos7srv1.46921 > gateway.domain: 10604+ PTR? 1.122.168.192.in-addr.arpa. (44)
E..H.{@.@.A...z...z..I.5.4vw)l...........1.122.168.192.in-addr.arpa.....
01:54:13.537792 IP gateway.domain > centos7srv1.46921: 10604 NXDomain 0/0/0 (44)
E..H..@.@..T..z...z..5.I.4vw)l...........1.122.168.192.in-addr.arpa.....
01:54:13.540821 IP centos7srv1.50514 > gateway.domain: 26260+ PTR? 223.122.168.192.in-addr.arpa. (46)
E..J.~@.@.A...z...z..R.5.6vyf............223.122.168.192.in-addr.arpa.....
01:54:13.541314 IP gateway.domain > centos7srv1.50514: 26260* 1/0/0 PTR centos7srv1. (71)
E..c. @.@..8..z...z..5.R.Ov.f............223.122.168.192.in-addr.arpa..................centos7srv1.
01:54:13.658354 STP 802.1d, Config, Flags [none], bridge-id 8000.fe:54:00:bd:1d:c0.8001, length 35
........T...........T..............
3 packets captured
11 packets received by filter
0 packets dropped by kernel
5. Display Available Interfaces
Option -D with tcpdump command will list number of available interfaces on your Linux system.
# tcpdump -D
1.eth0
2.nflog (Linux netfilter log (NFLOG) interface)
3.nfqueue (Linux netfilter queue (NFQUEUE) interface)
4.usbmon1 (USB bus number 1)
5.usbmon2 (USB bus number 2)
6.usbmon3 (USB bus number 3)
7.usbmon4 (USB bus number 4)
8.any (Pseudo-device that captures on all interfaces)
9.lo [Loopback]
6. Display Captured Packets in HEX and ASCII
The following command with option -XX capture the data of each packet, including its link level header in HEX and ASCII format.
# tcpdump -XX -i eth0
01:55:53.069456 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 2402469481:2402469669, ack 3861628741, win 289, options [nop,nop,TS val 931284 ecr 910544], length 188
0x0000: fe54 00bd 1dc0 5254 00bd 1dc0 0800 4510 .T....RT......E.
0x0010: 00f0 5411 4000 4006 6fb5 c0a8 7adf c0a8 ..T.@.@.o...z...
0x0020: 7a01 0016 d2b2 8f32 c669 e62b c745 8018 z......2.i.+.E..
0x0030: 0121 7714 0000 0101 080a 000e 35d4 000d .!w.........5...
0x0040: e4d0 4341 bffb 155e 2a9d 28db 9cee c397 ..CA...^*.(.....
0x0050: 88eb 1089 bfc4 4e50 dab5 4835 17c8 99fb ......NP..H5....
0x0060: 3138 60a9 8042 00f6 da58 8afc cfd0 ad40 18`..B...X.....@
0x0070: aaaf 5b62 f126 e570 62f4 577a 3124 72a7 ..[b.&.pb.Wz1$r.
0x0080: 3b15 b09d bb8e 4f0c 1338 b498 04b2 1660 ;.....O..8.....`
0x0090: b2ef b0d8 5796 4651 ae6b 30b4 c4c7 d241 ....W.FQ.k0....A
0x00a0: 954a 4aec 2dc7 a493 0d1d 4ad7 65d8 0f50 .JJ.-.....J.e..P
0x00b0: 7202 5141 5c7b 95af c469 d1d2 feb1 001b r.QA\{...i......
0x00c0: 250c f745 9f68 f7a8 8daf c66a 7b8c 40cc %..E.h.....j{.@.
0x00d0: 599f 35b4 587f 0ea8 f4f9 320c 5c4d a763 Y.5.X.....2.\M.c
0x00e0: bd39 ad48 4ce9 6d23 805e a293 b7fc 432d .9.HL.m#.^....C-
0x00f0: 26f4 ceab 8cda 0207 8958 3ced fc94 &........X<...
01:55:53.069748 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 188, win 12176, options [nop,nop,TS val 910552 ecr 931284], length 0
0x0000: 5254 00bd 1dc0 fe54 00bd 1dc0 0800 4510 RT.....T......E.
0x0010: 0034 681f 4000 4006 5c63 c0a8 7a01 c0a8 .4h.@.@.\c..z...
0x0020: 7adf d2b2 0016 e62b c745 8f32 c725 8010 z......+.E.2.%..
0x0030: 2f90 7658 0000 0101 080a 000d e4d8 000e /.vX............
0x0040: 35d4 5.
01:55:53.070649 IP centos7srv1.47614 > gateway.domain: 52386+ PTR? 1.122.168.192.in-addr.arpa. (44)
0x0000: fe54 00bd 1dc0 5254 00bd 1dc0 0800 4500 .T....RT......E.
0x0010: 0048 c729 4000 4011 fd49 c0a8 7adf c0a8 .H.)@.@..I..z...
0x0020: 7a01 b9fe 0035 0034 7677 cca2 0100 0001 z....5.4vw......
0x0030: 0000 0000 0000 0131 0331 3232 0331 3638 .......1.122.168
0x0040: 0331 3932 0769 6e2d 6164 6472 0461 7270 .192.in-addr.arp
7. Capture and Save Packets in a File
As I have mentioned earlier in my this article that tcpdump has an option to save captured packets in a file for future analysis. The tcpdump save captured packets in .pcap format, to do this just execute command with -w option.
Note: test.pcap file name is an example name of captured file you can give any identical name to this file
# tcpdump -w test.pcap -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C5 packets captured
8 packets received by filter
0 packets dropped by kernel
8. Read Captured Packets File
To read and analyze captured packet test.pcap file use the command with -r option, as shown below.
# tcpdump -r test.pcap
reading from file test.pcap, link-type EN10MB (Ethernet)
01:59:51.587239 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 2402481853:2402481977, ack 3861631381, win 289, options [nop,nop,TS val 1169802 ecr 970175], length 124
01:59:51.587553 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 124, win 12176, options [nop,nop,TS val 970182 ecr 1169802], length 0
01:59:51.655365 STP 802.1d, Config, Flags [none], bridge-id 8000.fe:54:00:bd:1d:c0.8001, length 35
01:59:53.655503 STP 802.1d, Config, Flags [none], bridge-id 8000.fe:54:00:bd:1d:c0.8001, length 35
01:59:55.655445 STP 802.1d, Config, Flags [none], bridge-id 8000.fe:54:00:bd:1d:c0.8001, length 35
9. Capture IP address Packets
If you don’t want to convert host addresses to names use option -n with tcpdump command. This can be used to
avoid DNS lookups.
# tcpdump -n -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
02:16:29.446653 IP 192.168.122.223.ssh > 192.168.122.1.53938: Flags [P.], seq 24909448:24909660, ack 14905, win 289, options [nop,nop,TS val 2167662 ecr 1219651], length 212
02:16:29.446797 IP 192.168.122.223.ssh > 192.168.122.1.53938: Flags [P.], seq 24909660:24910024, ack 14905, win 289, options [nop,nop,TS val 2167662 ecr 1219651], length 364
02:16:29.446873 IP 192.168.122.223.ssh > 192.168.122.1.53938: Flags [P.], seq 24910024:24910236, ack 14905, win 289, options [nop,nop,TS val 2167662 ecr 1219651], length 212
02:16:29.446938 IP 192.168.122.1.53938 > 192.168.122.223.ssh: Flags [.], ack 24910024, win 12176, options [nop,nop,TS val 1219651 ecr 2167662], length 0
02:16:29.446955 IP 192.168.122.1.53938 > 192.168.122.223.ssh: Flags [P.], seq 14905:14941, ack 24910236, win 12176, options [nop,nop,TS val 1219651 ecr 2167662], length 36
02:16:29.446983 IP 192.168.122.223.ssh > 192.168.122.1.53938: Flags [P.], seq 24910236:24910448, ack 14941, win 289, options [nop,nop,TS val 2167662 ecr 1219651], length 212
10. Capture only TCP Packets.
To capture packets based on TCP port, run the following command with option tcp.
# tcpdump -i eth0 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
02:17:18.498504 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 4131072:4131412, ack 2845, win 289, options [nop,nop,TS val 2216713 ecr 1231914], length 340
02:17:18.498548 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 4131072, win 12176, options [nop,nop,TS val 1231914 ecr 2216713], length 0
02:17:18.498639 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 4131412:4131752, ack 2845, win 289, options [nop,nop,TS val 2216714 ecr 1231914], length 340
02:17:18.498713 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 4131752:4131948, ack 2845, win 289, options [nop,nop,TS val 2216714 ecr 1231914], length 196
02:17:18.498729 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 4131752, win 12176, options [nop,nop,TS val 1231914 ecr 2216713], length 0
02:17:18.498800 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 4131948:4132288, ack 2845, win 289, options [nop,nop,TS val 2216714 ecr 1231914], length 340
02:17:18.498872 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 4132288:4132484, ack 2845, win 289, options [nop,nop,TS val 2216714 ecr 1231914], length 196
02:17:18.498887 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 4132288, win 12176, options [nop,nop,TS val 1231914 ecr 2216714], length 0
02:17:18.498973 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 4132484:4132824, ack 2845, win 289, options [nop,nop,TS val 2216714 ecr 1231914], length 340
02:17:18.499047 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 4132824:4133020, ack 2845, win 289, options [nop,nop,TS val 2216714 ecr 1231914], length 196
02:17:18.499076 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 4132824, win 12176, options [nop,nop,TS val 1231914 ecr 2216714], length 0
02:17:18.499151 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 4133020:4133360, ack 2845, win 289, options [nop,nop,TS val 2216714 ecr 1231914], length 340
02:17:18.499196 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 4133360, win 12176, options [nop,nop,TS val 1231914 ecr 2216714], length 0
02:17:18.499265 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 4133360:4133700, ack 2845, win 289, options [nop,nop,TS val 2216714 ecr 1231914], length 340
02:17:18.499335 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 4133700:4133896, ack 2845, win 289, options [nop,nop,TS val 2216714 ecr 1231914], length 196
02:17:18.499378 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 4133896, win 12176, options [nop,nop,TS val 1231914 ecr 2216714], length 0
11. Capture Packet from Specific Port
Let’s say you want to capture packets for specific port 22, execute the below command by specifying port number 22 as shown below.
# tcpdump -i eth0 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 02:22:16.821216 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 743608:743804, ack 217, win 289, options [nop,nop,TS val 2515036 ecr 1306495], length 196 02:22:16.821274 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 743804:744000, ack 217, win 289, options [nop,nop,TS val 2515036 ecr 1306495], length 196 02:22:16.821332 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 744000:744196, ack 217, win 289, options [nop,nop,TS val 2515036 ecr 1306495], length 196 02:22:16.821440 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 744196:744392, ack 217, win 289, options [nop,nop,TS val 2515036 ecr 1306495], length 196 02:22:16.821577 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 744392:744588, ack 217, win 289, options [nop,nop,TS val 2515037 ecr 1306495], length 196 02:22:16.833570 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 744588:744784, ack 217, win 289, options [nop,nop,TS val 2515049 ecr 1306495], length 196 02:22:16.851464 IP gateway.53938 > centos7srv1.ssh: Flags [.], ack 744784, win 11982, options [nop,nop,TS val 1306503 ecr 2515033], length 0 02:22:16.851563 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 744784:744980, ack 217, win 289, options [nop,nop,TS val 2515066 ecr 1306503], length 196 02:22:16.851698 IP gateway.53938 > centos7srv1.ssh: Flags [P.], seq 217:253, ack 744784, win 12065, options [nop,nop,TS val 1306503 ecr 2515033], length 36 ^C
12. Capture Packets from source IP
To capture packets from source IP address, say you want to capture packets from IP address 192.168.0.2, use the command as follows.
# tcpdump -i eth0 src 192.168.122.223 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 02:35:56.270868 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 2474244501:2474244689, ack 3861690317, win 289, options [nop,nop,TS val 3334486 ecr 1511354], length 188 02:35:56.271970 IP centos7srv1.44864 > gateway.domain: 14618+ PTR? 1.122.168.192.in-addr.arpa. (44) 02:35:56.275899 IP centos7srv1.39536 > gateway.domain: 22776+ PTR? 223.122.168.192.in-addr.arpa. (46) 02:35:56.276879 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 188:600, ack 1, win 289, options [nop,nop,TS val 3334492 ecr 1511360], length 412 02:35:56.277136 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 600:788, ack 1, win 289, options [nop,nop,TS val 3334492 ecr 1511362], length 188 02:35:56.277549 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 788:976, ack 1, win 289, options [nop,nop,TS val 3334492 ecr 1511362], length 188 02:35:56.277870 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 976:1164, ack 37, win 289, options [nop,nop,TS val 3334493 ecr 1511362], length 188 02:35:56.278183 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 1164:1352, ack 37, win 289, options [nop,nop,TS val 3334493 ecr 1511362], length 188 02:35:56.278821 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 1352:1540, ack 37, win 289, options [nop,nop,TS val 3334494 ecr 1511362], length 188 02:35:56.279215 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 1540:1728, ack 37, win 289, options [nop,nop,TS val 3334494 ecr 1511362], length 188 02:35:56.279631 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 1728:1916, ack 37, win 289, options [nop,nop,TS val 3334494 ecr 1511362], length 188 02:35:56.279909 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 1916:2104, ack 37, win 289, options [nop,nop,TS val 3334495 ecr 1511363], length 188 02:35:56.280275 IP centos7srv1.ssh > gateway.53938: Flags [P.], seq 2104:2292, ack 37, win 289, options [nop,nop,TS val 3334495 ecr 1511363], length 188 ^C 13 packets captured 15 packets received by filter 0 packets dropped by kernel
13. Capture Packets from destination IP
To capture packets from destination IP, say you want to capture packets for IP Address 8.8.8.8 which is Google Public DNS for checking whether your system is able to send name lookup request to Google DNS or not, use the command as follows.
# tcpdump -i eth0 dst 8.8.8.8 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 02:39:04.850762 IP centos7srv1.47626 > google-public-dns-a.google.com.domain: 24612+ A? google.com. (28) 02:39:04.851876 IP centos7srv1.46955 > google-public-dns-a.google.com.domain: 60894+ PTR? 8.8.8.8.in-addr.arpa. (38) 02:39:04.854927 IP centos7srv1.54974 > google-public-dns-a.google.com.domain: 14998+ PTR? 223.122.168.192.in-addr.arpa. (46) 02:39:13.046482 IP centos7srv1.45745 > google-public-dns-a.google.com.domain: 50848+ A? redhat.com. (28) ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel
Hope this article may help you to explore tcpdump command in depth and also to capture and analysis packets in future. There are many options through which you can use the tcpdump for capturing the packaet as I have mentioned earlier tcpdump is very powerful tool and widely use by Linux/Unix and Network Administrator for analysis and diagnosis network related issue. Refer man page of tcpdump in Linux/Unix for understanding this tool more option.
Please share your feedback if you find this article useful through my blog comment box. If you have query regarding this topic please feel free to share me back in comment box or drop me email at webmaster@cjcheema.com.
Charanjit is working as a Linux Subject Matter Expert in Kyndryl, he has 16 Years of professional experience in IT Infrastructure Projects implementation and support service delivery. Rich work experience in Data Centers and MSCs (Mobile Switching Centers). He possesses good knowledge in Linux, VMware, AWS, and Openstack Cloud.
He is a lazy System Administrator who likes to Automate his task through Shell scripts and Ansible playbooks. He has contributed his many Automations work in Kyndryl and also maintain his own internal company Github repo.
His hobby is researching on new technologies and sharing this through his blog but if he is not researching or writing blog then you will find him listening music while sipping cup of coffee and enjoying the nature view.
You can find him on Twitter, Facebook, Linkedin or send him an email at webmaster@cjcheema.com
He is a lazy System Administrator who likes to Automate his task through Shell scripts and Ansible playbooks. He has contributed his many Automations work in Kyndryl and also maintain his own internal company Github repo.
His hobby is researching on new technologies and sharing this through his blog but if he is not researching or writing blog then you will find him listening music while sipping cup of coffee and enjoying the nature view.
You can find him on Twitter, Facebook, Linkedin or send him an email at webmaster@cjcheema.com
Latest posts by Charanjit Cheema (see all)